As discussed earlier, prominent leaders of the law enforcement community have warned that encryption is restricting their access to unencrypted stored data or message plaintext and that even as the volume of digital information expands, important parts of the digital world are “going dark” as more stored data and communications are encrypted by default. Some members of the intelligence community have concurred that pieces of the digital world are getting “dimmer” although not necessarily “dark.” Thus, some government officials have argued that they need a reliable, timely, and scalable way to access plaintext. They point to (1) the widespread and increasing use of encryption by default in widely used products and services, (2) the myriad national security threats posed by terrorist groups and foreign rivals, (3) the increasing importance of digital evidence as human activity and crime have become increasingly digital, and (4) the limited effectiveness of alternative sources of digital evidence.

Opponents of regulations that would afford government exceptional access to plaintext have objected on a number of legal and practical grounds. Their primary arguments are that any regime by which providers of products and services featuring encryption are required to provide a way for ensuring government access to plaintext likely would (1) be ineffective, (2) pose unacceptable risks to cybersecurity, (3) pose unacceptable risks to privacy and civil liberties, (4) disadvantage U.S. providers of products and services, and (5) hamper innovation in encryption technologies. They take the view that the growing use of information

technology and sophisticated collection and analysis capabilities have created a wealth of information for investigators.

With arguments on both sides, how can policymakers and citizens decide what to do? How can they evaluate the policy choices of whether to enable law enforcement and the intelligence community to maintain their current level of access, provide more resources to facilitate lawful government access, impose a legal requirement for mandatory access, or pursue other options? How can they assess the effect of each approach on law enforcement and national security, computer and data security, privacy and civil liberties, competitiveness, and other important values?

To inform that evaluation, this chapter provides a framework of questions that the committee believes any proposal must address. It captures the issues that the committee grappled with as it considered potential approaches and the broader context in which they arise. The objective of this framework is not simply to help policymakers determine whether a particular approach is optimal or desirable, but also to help ensure that any approach that policymakers might pursue is implemented in a way that maximizes its effectiveness while minimizing harmful side effects.

Importantly, in addressing these questions, policymakers will have to contend with incomplete data, limits on the ability to measure important properties, and an inability to fully predict the consequences of courses of action (Box 7.1). They will also need to contend with the complexity introduced by the thousands of communications and computing products available today, an international marketplace where new computing and communications products and services are introduced with regularity, and the interactions of those markets with the strategies and policies that are adopted by other nations.

Underlying the questions are a set of trade-offs associated with encryption and government access. One of the fundamental trade-offs is

BOX 7.1Data Limitations and Uncertainties

Incomplete data on the impacts on law enforcement. The Federal Bureau of Investigation and some jurisdictions have provided figures for a growing number of phones they cannot unlock, but the data—especially at the state and local level—are incomplete, and this data does not tell us how often investigations and prosecutions are thwarted. It is difficult in practice to collect systematic or comprehensive data: it is time consuming; assessments of impact are inherently

subjective; data sources are highly distributed; and there is no infrastructure in place for collection or reporting, especially at the state and local levels. Relatedly, although there is some information about default use of encryption based on its availability in major platforms, there is little data on either deliberate use of encryption by either average citizens or criminals.

Limited ability to measure security risks. One of the arguments against adding exceptional access features to encryption systems is that it adds risk when computer systems are already at great risk and that the added risk is unacceptable. The incremental risk of any proposed scheme is quite difficult to quantify, however, given the general difficulty in measuring the security of any computer system.

Difficulty partitioning consumer and business services. One might seek to regulate encryption used for consumer services such as messaging but not business services where the added security risks might outweigh the benefits for law enforcement investigations. However, such efforts to partition the problem must take into account the considerable use of consumer services in enterprise settings. For example, “bring your own device” smartphones may be used to authenticate users for sensitive corporate applications. At the same time, unlike in the consumer market, access mechanisms are generally required in business settings for recovery or regulatory compliance.

Technology changes by vendors. One of the alternatives to exceptional access to smartphones is for investigators to obtain cloud backups of phone data. That option would be blocked if vendors were to move either by default or as an option to user-controlled encryption. Similarly, vendors decisions to encrypt metadata would change its availability to investigators.

Necessarily speculative projections about future behavior. There are also a number of cases where one can only speculate about future behaviors that have bearing on the implications of government regulation of encryption. For example, if the government were to require vendors to provide exceptional access, the effectiveness of that measure would depend in part on how many and which users chose to install alternative applications that do not afford exceptional access. Those who have objected to proposals to require key escrow observe that criminals will simply download noncompliant, unbreakable encryption software, which is widely available globally. On the other hand, most users tend to accept product defaults. What percentage of criminals will actually take the extra step to install and use noncompliant software? Clearly, the answer is greater than 0 percent (some will) but less than 100 percent (some will not). Similarly, some have argued that non-U.S. business customers will be reluctant to buy products whose encryption keys are accessible to the U.S. government. That may be true, too, but some multinational business have a U.S. presence and can be compelled to produce plaintext data anyway, while others may store their data out of the reach of the United States (i.e., the U.S. government might be able to compel the production of the key, but it would have no data to decrypt). So what percentage of foreign companies will actually eschew U.S. products because key recovery has been mandated? Again, the answer lies between 0 and 100 percent. In short, with quantification so difficult, it is difficult to assess the trade-offs and difficult to predict, in advance, how any proposed approach will work in practice.

that adding exceptional access capability to encryption schemes necessarily weakens their security to some degree, while the absence of an exceptional access mechanism necessarily hampers government investigations to some degree (Box 7.2). If the extent of those impacts were clear and could be weighed, it would certainly help illuminate the path forward, but, alas, the impacts are not precisely quantifiable. As the debate proceeds, it will help to have a framework to sort through the issues.

BOX 7.2A Fundamental Trade-Off

There is a fundamental trade-off associated with providing the government with exceptional access to devices and services that use encryption to protect the confidentiality of communications or stored data or to lock devices. Exceptional access necessarily weakens security to some degree, while the absence of exceptional access necessarily hampers government investigations to some degree.

Impact on security. Exceptional access features, no matter how well designed and implemented, will reduce their security to some degree as a result of the added complexity and greater potential for weaknesses in their design, implementation, or operation. How much security is reduced, and whether the resulting level of security remains acceptable, depend on the specific technical and operational details of the exceptional access mechanism and on the requirements and perspectives of users. Additionally, although the probability of failure associated with exceptional access may be low, the consequences can include a failure that affects many or even all users of a system or service. Quantifying the incremental risk from adding exceptional access mechanisms is made more difficult by our poor ability to characterize or measure cybersecurity risks more generally.

Impact on government investigations. If exceptional access features are not provided in widely used devices and services that use encryption, law enforcement and intelligence investigations will, taken as a whole, be more difficult owing to the loss of information. Some investigations will take longer or require more resources to resolve. Other investigations will be entirely thwarted because critical evidence is unavailable. The impact on the investigation will vary depending on the particular circumstances of the case and the extent to which other investigative avenues, including the use of other sources of digital evidence, can compensate for the lost information. The impact on society when an investigation is hindered or thwarted will depend on the scope and scale of the associated crime or national security threat, which can range from undetected or unpunished commission of an individual crime to commission of a major criminal conspiracy or a terrorist plot affecting a large number of victims. Quantifying the impact of lost information on investigations or the net effect on government investigations has been complicated by a lack of systemic data and the inherent difficulty of predicting the risks of major criminal activity or national security threats.

With any proposal, one should certainly explore all the foreseeable consequences, and the framework provides a tool for doing so. Potential flaws do not, however, necessarily invalidate an option. There are unlikely to be options that satisfy everyone, and solutions will be, at best, only partially effective. Circumstances will also change over time, in ways that cannot reliably be foreseen. This is especially true for those in the United States anticipating events and trends overseas.

The framework is designed to be applicable to (1) regulatory requirements, such as a general requirement that the manufacturers of a particular device must ensure lawful access to that device; (2) policy choices, such as a decision to provide more funding to support efforts by government agencies to obtain lawful access to plaintext; and (3) particular technologies or system modifications that might be imposed by law or implemented in response to a general requirement for access. The questions that follow use the term “approach” to describe all of these.

The more specific the approach being considered, the greater the ease and precision with which the framework may be applied. This does not mean that a vague proposal is necessarily desirable or undesirable, but simply that it will be more difficult (and, in some cases, impossible) for policymakers and others to assess its desirability. This is a significant point because the stakes involve critical values to our society.

The questions that comprise the framework are as follows:

1. To what extent will the proposed approach be effective in permitting law enforcement and/or the intelligence community to access plaintext at or near the scale, timeliness, and reliability that proponents seek?

This question has four elements. The first is whether the proposed approach works to provide access to plaintext. An approach that cannot be demonstrated to work is unlikely to warrant further consideration. The second is what scale, timeliness, and reliability are needed to achieve the desired objective. For example, a lesser scale may be needed if the objective is to afford access in the more limited number of situations where critical national security interests are at stake. The third is whether the proposed approach works at the scale, timeliness, and reliability necessary to achieve its proponents’ objectives. The fourth is how long the solution will be effective in the face of rapid technological change.

Some ways of obtaining access to plaintext are slow and resource intensive. These may be entirely appropriate for one-off needs. For example, the Federal Bureau of Investigation reportedly paid around $1 million in 2016 for a way to access the encrypted iPhone used by a San Bernardino terrorist. However, whether or not that was an effective approach when the government sought access to only a single encrypted device, if the

goal is to provide access to a large number of encrypted communications or the content on many encrypted devices, then the proposed approach must work far more efficiently and cost effectively. An approach may not provide 100 percent of the desired access, but it needs to be worth the effort and worth the trade-offs.

Determining whether a proposed approach works at scale is often not easy because multiple components must not only be evaluated individually but also assessed for how well they integrate together. For example, a requirement that mobile phone manufacturers provide some way for law enforcement or intelligence officials to bypass encryption on devices requires not only testing the method for how well it works in real-world settings, but also assessing the tools for verifying the credentials of government officials who seek access and the tools for ensuring that access is provided only when legally authorized. In addition, evaluating effectiveness at scale also requires considering how easy it is for end-users to disable or otherwise circumvent the proposed approach, for example, by using an encrypted app or altering the device’s encryption. It also involves understanding what requirements regarding robustness against skilled adversaries are practical to include, and how effective they would be. Evaluating effectiveness at scale requires not only defining what the needs are but also estimating the investment in the people, equipment, and facilities required to provide access that is sufficiently responsive to meet the needs of law enforcement and the intelligence community.

2. To what extent will the proposed approach affect the security of the type of data or device to which access would be required, as well as cybersecurity more broadly?

Given how important encryption is for the security of devices, systems, and data; the magnitude of cybersecurity threats faced in the digital environment; and how great the consequences can be of falling victim to those threats, it is critical to determine whether and to what extent a proposed approach is likely to affect cybersecurity more broadly.

This question consists of two parts. The first focuses on the specific context in which access to plaintext is sought and asks whether the proposed approach would affect the security of that particular type of communication, device, or service. This would include an assessment of what risks the proposed approach might add as well as the context of existing risks associated with the device or service. The second question asks about the broader impact of the proposed approach on security generally and is likely to be more difficult—but also more important—to answer. For example, the use of surveillance or a spear phishing attack to obtain the password to a single mobile phone poses a serious risk to the security

of data on that device, but low risk to any other device. Conversely, a limit on the strength of encryption that may be provided in products and services would pose a much broader security challenge.

Answering this question also requires considering what happens in the case of failure—for example, if access credentials or known vulnerabilities are stolen from law enforcement or intelligence officials, as happened with the publication of known vulnerabilities in 2016 and 2017 that were reportedly stolen from the Central Intelligence Agency and National Security Agency. Even without a theft from a government agency, how likely is the method for gaining access to be exploited by unauthorized third parties? Is there a reliable way to cancel stolen credentials or to notify equipment and service providers of known vulnerabilities and prevent their exploitation? If the system is compromised, what is the potential scale of abuse that could occur? Is it possible to detect that a system or credentials have been compromised?

3. To what extent will the proposed approach affect the privacy, civil liberties, and human rights of targeted individuals and others?

Encryption, like all technological innovations, can be used for either legitimate or illicit purposes. Some of those legitimate uses include protecting the privacy of communications and other content. As we have seen, the law in many countries—including the Constitution in the United States—protects personal privacy. It is therefore important to consider to what extent a proposed approach could threaten legally protected privacy rights and other civil liberties.

This inquiry, too, has two elements. The first focuses on individuals who are specifically targeted by law enforcement or by the intelligence community and is concerned with how well a proposed approach ensures that government access will be permitted only with appropriate authorization and only to the content specifically authorized.

The second part of the question focuses on the privacy and civil liberties interests of people who are not targeted. How likely is it that the proposed approach could be used for unauthorized surveillance, whether accidental or deliberate, and how well does the approach guard against unauthorized surveillance? Will the proposed approach result in such greatly increased surveillance—even when authorized—that it will chill free expression or free association? Even if it is used as planned and authorized, to what extent will the proposed approach permit collection of information about people who are not targeted, including those who may be communicating with targets? Does the approach include appropriate minimization procedures or other safeguards to limit the use of communications of people who are not targets?

4. To what extent will the proposed approach affect commerce, economic competitiveness, and innovation?

Encryption has become a mainstay of commerce as a way of not only protecting the content of communications and documents, but also verifying the identity of communicating parties and of protecting the integrity of transactions, especially online. Policymakers should therefore consider to what extent a proposed approach is likely to affect commerce.

This inquiry should also consider the likely impact of any proposed approach on the economic competitiveness of U.S. providers of equipment, software, cloud-computing services, and encryption tools themselves. Will the proposed approach limit the ability of U.S. service providers and manufacturers to market their products and services as secure options or otherwise compete in other countries?

Finally, how does the proposed approach affect the ability of the scientific and technical research community to continue to advance encryption technologies or the U.S. industry to innovate in the development and deployment of new products and services?

5. To what extent will financial costs be imposed by the proposed approach, and who will bear them?

Any approach to ensuring government access to plaintext will impose costs. This inquiry focuses on the financial costs and asks, first, how great are those costs likely to be? In answering this question, it is important to consider the full range of financial costs and the full range of parties who might incur them. For example, those costs may include not only the expenses associated with engineering and design, testing, implementation, compliance, enforcement, and oversight, but also opportunity costs of customers who may go elsewhere or products and services that might not be offered.

The second part of the inquiry focuses on who bears those costs. Under some laws, such as the Communications Assistance for Law Enforcement Act, the U.S. government covered only part of the costs incurred by industry. Will that be the case with the proposed approach: Will the costs incurred by industry, individuals, and states be covered in whole or in part by the federal government?

6. To what extent is the proposed approach consistent with existing law and other government priorities?

It is obviously necessary that any approach enacted by the government comply with relevant legal requirements. Constitutional requirements can-

not be changed simply by enacting a new law. More than just compliance, it is also important that policymakers consider the degree to which a proposed approach is consistent with other laws and other government objectives. For example, what would the effects of a proposal be on freedom of expression and association?

These considerations also arise in an international context. The availability of encrypted communications has been a key tool for organizing protests and resisting authoritarian governments. Support for democracy movements around the world has, at least historically, been an important objective of U.S. foreign policy. Enacting laws that would ensure government access to encrypted communications, depending on the specific mechanisms required, could conflict with that longstanding objective.

An issue related to consistency with existing law is whether unsettled questions of law may make a particular approach more challenging or otherwise less attractive. For example, policymakers may want to consider the impact of unsettled law regarding Fifth Amendment implications of requiring an individual to provide a biometric or a passcode.

7. To what extent will the international context affect the proposed approach, and what will be the impact of the proposed approach internationally?

Although laws are typically limited by state or national jurisdictional boundaries, flows of information and markets for digital products and services are increasingly global. It is therefore important for policymakers to consider both the impact of a proposed approach in the broader multinational context as well as the impact of multinational considerations on the proposed approach. For example, to what extent will a proposed approach to ensuring access to plaintext affect international trade or the quest for democracy in other countries? What would be its impact on foreign users not targeted by the U.S. government? How will it affect U.S. nationals traveling abroad? How would a proposed approach jeopardize existing international agreements around privacy and cybersecurity? For example, what are the implications for the EU-U.S. Privacy Shield Framework, which provide companies with a mechanism to comply with data protection requirements for personal data transferred to the United States?

International developments may also have an impact on the effectiveness of a proposed approach. For example, if U.S. law limits the strength of U.S. encryption products or requires that there be a guaranteed way for the U.S. government to access plaintext, will users simply switch to products and services that are not subject to such a law? Will enforcement be practical if users can download nonconforming encryption products

from the Web—or implement their own solutions based on globally available knowledge? What, if any, enforcement will be necessary at border crossings to cover people who enter carrying noncompliant devices? Or will the new requirements make U.S. users communications or equipment less secure against foreign intrusion?

8. To what extent will the proposed approach be subject to effective ongoing evaluation and oversight?

Any measure for ensuring government access to plaintext is liable to be misused, whether accidentally or deliberately. The more powerful and far-reaching the approach, the greater the harm that may result from its misuse. It is therefore important that the approach be subject to effective and continuing evaluation and oversight and include a robust and assured audit mechanism that supports detection of misuse, detection of authorized use that has unintended consequences (e.g., on specific populations or international stakeholders), and degradation of the effectiveness of the approach as it is applied. This will help ensure compliance with the Constitution and other law, guard against relying on and investing scare resources in approaches that do not work, and sustain public support for any proposed approach. Policymakers are therefore advised to consider whether the evaluation and oversight mechanisms are sufficiently reliable, robust, and effective, especially in light of the breadth of their scope.

* * *

The committee anticipates that developing and debating answers to these questions will help illuminate the underlying issues and trade-offs and help inform the debate over government access to plaintext. Moreover, it is the committee’s hope that the analytical framework above, together with the common vocabulary and context provided by this report, will facilitate an ongoing, frank conversation, involving all parties, about the encryption debate and proposed approaches.

Encryption protects information stored on smartphones, laptops, and other devices - in some cases by default. Encrypted communications are provided by widely used computing devices and services - such as smartphones, laptops, and messaging applications - that are used by hundreds of millions of users. Individuals, organizations, and governments rely on encryption to counter threats from a wide range of actors, including unsophisticated and sophisticated criminals, foreign intelligence agencies, and repressive governments. Encryption on its own does not solve the challenge of providing effective security for data and systems, but it is an important tool.

At the same time, encryption is relied on by criminals to avoid investigation and prosecution, including criminals who may unknowingly benefit from default settings as well as those who deliberately use encryption. Thus, encryption complicates law enforcement and intelligence investigations. When communications are encrypted "end-to-end," intercepted messages cannot be understood. When a smartphone is locked and encrypted, the contents cannot be read if the phone is seized by investigators.

Decrypting the Encryption Debate reviews how encryption is used, including its applications to cybersecurity; its role in protecting privacy and civil liberties; the needs of law enforcement and the intelligence community for information; technical and policy options for accessing plaintext; and the international landscape. This book describes the context in which decisions about providing authorized government agencies access to the plaintext version of encrypted information would be made and identifies and characterizes possible mechanisms and alternative means of obtaining information.

Welcome to OpenBook!

You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.